But there are those in Congress and in Europe who don’t think Facebook has gone far enough yet. European Data Protection Supervisor Giovanni Buttarelli, for example, has suggested Facebook views its users as “experimental rats.”

Facebook could take action: Its market power alone could make it a major advocate for privacy and cybersecurity around the world. The company could, for example, back efforts to modernize international privacy law. Facebook could also require its vendors and partners to provide world-class cybersecurity protections for users and their information. It could, in short, lead a global race to the top and in the process promote cyber peace. In coordination with other technology companies, those efforts would only be more likely to succeed.

Another logical next step would be for Facebook to provide its users with a paid subscription option and thereby allow them to completely opt out of having their personal data packaged and sold for advertising. However, that creates a different ethical problem, because poorer people would not be able to afford to keep their data private and still use Facebook. The main way to address that problem is to flip the relationship and have Facebook pay people for their data. One economist estimates the value could be as much as US$1,000 a year for the average social media user.

Proposed new laws could also help. The CONSENT Act, for example, would require data-gathering social networks to get clear consent from users before being able to “use, share, or sell any personal information.” The Federal Trade Commission would enforce those rules. Lawmakers could go farther still and let the FTC impose larger fines for data breaches, make platforms liable for hosting illegal information, or even require companies to establish ethical review boards similar to universities.

Richard Stolley, founding managing editor of People Magazine, famously (and somewhat ironically) described privacy as “fragile merchandise.” This merchandise, which we have all entrusted to Facebook, once broken, is not easily fixed. Zuckerberg told Congress he understands this fact, and that his firm needs to rebuild users’ trust. If Facebook declared its support for both privacy and security as inalienable human rights akin to internet access, that could help the company get started, before policymakers in the U.S. and around the world step up to have their say.

Scott Shackelford, Associate Professor of Business Law and Ethics; Director, Ostrom Workshop Program on Cybersecurity and Internet Governance; Cybersecurity Program Chair, IU-Bloomington, Indiana University